[Samba] rc3: Server packet had invalid SMB signature!

[Riegel, Bernhard]

(refers to posting "Samba 3.0 + ADS, winbind problem" from August, 28th)

Setup: 
client: SuSE8.2 professional (kernel 2.4.20-4GB) with openldap2 2.1.12
and heimdal kerberos 0.4e from the SuSE CDs and Samba 3.0.0RC3 compiled
from source with flags "--with-ads --with-pam --with-acl-support".
server: Windows 2003 Server as Active Directory Controller (configured
as pure Win2000/Win2003-AD, Administrator password changed (several
times).

With RC3 I now reran my tests towards an integration of the samba3.0 as
a member server into the Win2k3-AD.

The join into the domain works, but smbclient yields:
[2003/09/09 13:39:32, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!

here the steps I performed
adslinux:/etc # /etc/init.d/nmb3 start && /etc/init.d/smb3 start && 
/etc/init.d/winbind3 start
Starting Samba3 NMB daemon        done
Starting Samba 3 SMB daemon       done
Starting Samba 3 WINBIND daemon   done
adslinux:/etc # kdestroy
adslinux:/etc # kinit Administrator at ZRHTEST.SDM.DE
Administrator at ZRHTEST.SDM.DE's Password:
adslinux:/etc # net ads join
Using short domain name -- ZRHTEST
Joined 'ADSLINUX' to realm 'ZRHTEST.SDM.DE'
adslinux:/etc # klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator at ZRHTEST.SDM.DE
    Cache version: 4

Server: krbtgt/ZRHTEST.SDM.DE at ZRHTEST.SDM.DE
Ticket etype: arcfour-hmac-md5, kvno 2
Session key: des
Auth time:  Sep  9 13:40:09 2003
End time:   Sep  9 23:38:55 2003
Ticket flags: initial, pre-authenticated
Addresses: IPv4:192.168.30.1

Server: adswintest$@ZRHTEST.SDM.DE
Ticket etype: arcfour-hmac-md5, kvno 3
Session key: des-cbc-md5
Auth time:  Sep  9 13:40:09 2003
Start time: Sep  9 13:40:15 2003
End time:   Sep  9 23:38:55 2003
Ticket flags: pre-authenticated, ok-as-delegate
Addresses: IPv4:192.168.30.1

Server: kadmin/changepw at ZRHTEST.SDM.DE
Ticket etype: arcfour-hmac-md5, kvno 2
Session key: des
Auth time:  Sep  9 13:40:09 2003
Start time: Sep  9 13:40:16 2003
End time:   Sep  9 13:42:16 2003
Ticket flags: pre-authenticated
Addresses: IPv4:192.168.30.1

adslinux:/etc # smbclient -L //adswintest -k
[2003/09/09 13:39:32, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!
adslinux:/etc # smbclient --version
Version 3.0.0rc3


here the [global] section of my smb.conf:

   workgroup = ZRHTEST
   realm =  ZRHTEST.SDM.DE
   security = ADS
   encrypt passwords = yes
   idmap uid = 10000-65000
   idmap gid = 10000-65000
   winbind enum users = yes
   winbind enum groups = yes
   passdb backend = tdbsam
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = no
   wins server = 192.168.30.32
   dns proxy = no

here my krb5.conf:

[libdefaults]
        ticket_lifetime = 24000
        default_realm = ZRHTEST.SDM.DE
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_etypes   = des-cbc-crc des-cbc-md5
        default_etypes_des = des-cbc-crc des-cbc-md5
# heimdal specific settings:
        v4_instance_resolve = false
        # Set this to false to disable MIT krb5 compatibility
        # in GSSAPI get_mic/verify_mic, and become compatible
        # with older Heimdal releases instead.
        gss_mit_compat = true
[realms]
        ZRHTEST.SDM.DE = {
                kdc = adswintest.zrhtest.sdm.de:88
                admin_server = adswintest.zrhtest.sdm.de:749
                default_domain = zrhtest.sdm.de
        }
[domain_realm]
        .zrhtest.sdm.de = ZRHTEST.SDM.DE
        zrhtest.sdm.de = ZRHTEST.SDM.DE
[appdefaults]
pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
}



-- 
Bernhard Riegel                   bernhard.riegel at sdm.de